Overview
overview
10Static
static
70b42c766b0...32.exe
windows7-x64
1011f9bb7186...6b.exe
windows7-x64
3childmoney.exe
windows7-x64
31c281ece6f...2a.exe
windows7-x64
332bb88fa59...4b.exe
windows7-x64
35056cbe553...3d.exe
windows7-x64
350e0f20cb3...69.exe
windows7-x64
657bbc27030...7b.exe
windows7-x64
365a84ff98e...02.exe
windows7-x64
106db6ac1ce8...be.exe
windows7-x64
1072745efc42...46.exe
windows7-x64
10751fb51baa...fe.exe
windows7-x64
1095e95a5be0...63.exe
windows7-x64
3a935725900...07.exe
windows7-x64
3c190931380...74.dll
windows7-x64
3dafc6c03ef...19.exe
windows7-x64
1e3c6c48ba7...87.exe
windows7-x64
10edbb453cc0...46.exe
windows7-x64
5f633e6f255...4b.exe
windows7-x64
fda537bc5e...ad.exe
windows7-x64
3General
-
Target
New folder (2).rar
-
Size
3.7MB
-
Sample
241103-x1b8ws1lgt
-
MD5
f8410956c346cd59ed8097e7d9d09fe5
-
SHA1
7521bd800298e80a97e91c7e9c0814d6d1dcca85
-
SHA256
49f236dbcde6f32d6573c8d4ca9922b4f9a60a18aacea5c2421d08997ef14a33
-
SHA512
85f7e5ef7cabc63b6b1797f22f2e25dbfd1f046251258d6bceaf87d231c01f545467ac50a0a0fd2186342dd45fe1bab7077c3fdb61b1f475ff17911a204053d9
-
SSDEEP
98304:oeRzhLCpeWvgPdVWQO5J9kgMUKqxKB3773C:geWvglMQ9gMUKqwB3q
Behavioral task
behavioral1
Sample
0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
childmoney.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869.exe
Resource
win7-20240729-en
Behavioral task
behavioral8
Sample
57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be.exe
Resource
win7-20240903-en
Behavioral task
behavioral11
Sample
72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146.exe
Resource
win7-20241010-en
Behavioral task
behavioral12
Sample
751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe.exe
Resource
win7-20240903-en
Behavioral task
behavioral13
Sample
95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607.exe
Resource
win7-20241010-en
Behavioral task
behavioral15
Sample
c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774.dll
Resource
win7-20240729-en
Behavioral task
behavioral16
Sample
dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19.exe
Resource
win7-20240903-en
Behavioral task
behavioral17
Sample
e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46.exe
Resource
win7-20240903-en
Behavioral task
behavioral19
Sample
f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b.exe
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad.exe
Resource
win7-20240903-en
Malware Config
Extracted
pony
http://209.59.223.57/ponyd/gate.php
http://204.145.80.32/ponyd/gate.php
Targets
-
-
Target
0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232
-
Size
112KB
-
MD5
f004f9006a9593085ea7b8137b1a49b0
-
SHA1
f934c59beed0e2ce22f7e599ca044896891e6b50
-
SHA256
0b42c766b056ee3a04b2e0b833c4f42e1520516e047330df3c5640dfcc492232
-
SHA512
a92dd14212f3e2bfcb28367156dcb1812e127f36d7d20000a1f9e2349f9d9cc7576672dbdcbb8bd0834a6eb06ff8ef4b039483c63c3aae5aab7e2aad1b95e345
-
SSDEEP
1536:nUYy7yep5ACr/BTHVrWRNUFhipHo6JiAXE7ddHQ:Eyep5AKIRTjpE7ddH
-
Modifies Windows Firewall
-
Adds Run key to start application
-
-
-
Target
11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b
-
Size
270KB
-
MD5
ff65efde80e228ed8173eccac713994f
-
SHA1
12f7dd1c7f9cbc49c5c979d3b8d7ee6aa7bde2f4
-
SHA256
11f9bb7186adbefb2633904f1626b20f3f8d0d3ecb98e55a3a81e6a17039786b
-
SHA512
04e5d383274a58795e3cf3bac130dfd958f90454e9c08714d344711664bc81dbaa247746261167b596e73d172ca66853b58d6a2539232657b7f3f34af0199dba
-
SSDEEP
3072:lzJktbbENFvx0HPaeXseTbCbXRVr9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGs:lzJktb4NFWbcePCbXtGCYu1no+4y8yz
Score3/10 -
-
-
Target
childmoney.exe
-
Size
404KB
-
MD5
71a0eb4f260866a58bb2006bad6d0c06
-
SHA1
0eec33b6d27fc49422272c4151f22e1733628573
-
SHA256
e79573b066c38263029bdef41c8fe359018750b67728772ff596e03b96c2fa48
-
SHA512
fda1ffc4dd7cbbf376901e2540f7311397b0084f59b87e7133112b6bfacc710928235e3254b120123ffc3926190a909e406a0c7e6052ca583fbd7d643f65e27c
-
SSDEEP
6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lkiTO60JnzCY:qVg8A/OcAuVSEDcJEIAflXWn7
Score3/10 -
-
-
Target
1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a
-
Size
176KB
-
MD5
4565b39844ce45f6b6440ce050a7d70c
-
SHA1
8ff6eeb364a072efedd298d4711ef6069a258107
-
SHA256
1c281ece6f6be8983f6f858636ddf9169dcb00ec2c0a98d0797bf8d3619cb22a
-
SHA512
ffa69bf743426a1b6d0fc39b0f9aa2742067414f7aa8cbb355a81a8bdcb8bc7cd42af45689d01ab493bdc61e5ce944999aebe13bf56505ffc77ab46883b39850
-
SSDEEP
3072:lzJ739yiwUGmuxpbvm5HJCNJxWlnhL8ac7lxJ7wzM9:lzJx/wUGbrLm5HJCRWln18Z7lTMzU
Score3/10 -
-
-
Target
32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b
-
Size
270KB
-
MD5
1d7e40a4a9c7ed251cacfddaea76e43a
-
SHA1
0efc124633fa9e07385d0cb6ce4c0b45dbbd0c24
-
SHA256
32bb88fa592ba0f338d58730d224728823684134157afe5892f5bbd8c042d54b
-
SHA512
ad275a1c5cb6e0ca5e52b3d49a0e8c1ccac0371c0c6923dab65f27f9506e290baae200c8662a827aad93aa48bba9f095eae7d4784b3af68d6fb645a9d4e5f3ea
-
SSDEEP
3072:+zJktbSENFvx0HPaeXseTbCbXRg9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGRv:+zJktbjNFWbcePCbXoGCYu1no+4y8yBA
Score3/10 -
-
-
Target
5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d
-
Size
270KB
-
MD5
e18de50458a0c1937bd82275c21304cd
-
SHA1
5d9a28fef0e62b1636ad7a2485168d4955639159
-
SHA256
5056cbe5539d0e171c81451306f2a970b43a6039dd847316a96f24be7b19453d
-
SHA512
9e0834f45c0ad266391654c66ee13b8a3d358eb0cb5187df48a56a5e14d96cc0cbe7a773970bbaf290cb71900f0df58ceed8f8562bf74ea3ec9ffd092fbd347a
-
SSDEEP
3072:lzJktbbENFvx0HPaeXseTbCbXRVr9j3f0gKvzCrsWdoXz1fm1noSCgcg8Z+6HSGo:lzJktb4NFWbcePCbXtGCYu1no+4y8yn
Score3/10 -
-
-
Target
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869
-
Size
564KB
-
MD5
31aa278085c235260fb64311532b1893
-
SHA1
2fdbb2ad8abdc69d7d4d1115287f3513c31446a1
-
SHA256
50e0f20cb3844c6b0ddc4af01daf274b7ebdddd0d322f06f05b7d6fec7c16869
-
SHA512
b761774f02c3814d8d965ad4e70a3bda31184abbf3f7293c6885904ca192f9406c27ba4c2f0b9ecc1920534a4a01353a8213f880449aa5aa1dc54bfe80357f2d
-
SSDEEP
12288:bwla+aTeq8Rg1yVkzES8RZTOy0fl+rsuNkabtW:kM+Z3S1uJSCvCwrsqr
Score6/10-
Adds Run key to start application
-
-
-
Target
57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b
-
Size
233KB
-
MD5
bfa8d7e786efd8a037f2dcce4335b4b0
-
SHA1
87841dc8f57f9b4f364fa719ca520c33677c0d9f
-
SHA256
57bbc27030a7c47b62aa08d6d05b6c7eee36010246260924ed6b85ff7e53917b
-
SHA512
8ab214628025e08c2c408bfb53491f5bcfde4e5c78ecb679fa1db262b2f9fdfcebc4a9e3d99cc59fd7c726e3daa38b056c0d19ffaaed203462863fb8544ccaca
-
SSDEEP
3072:pEjewHbVgiarKbnubRfwl41JA+OKs7uTiuTKx:pEjnHb5B69wCA+OKtTNT
Score3/10 -
-
-
Target
65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202
-
Size
505KB
-
MD5
cfa33fbbf74e795ec3008aec9f70e3f7
-
SHA1
9954d9bdcd643ea2a8121f058eb9e30b65439488
-
SHA256
65a84ff98e09a002d01b1c2935ca603125c8ddcb5c5824da9cc60787594a5202
-
SHA512
a1805d03d02545424429715177eadd16921d8804d53412e17054c2ac95591b71660be0e33d626fc823c16773a95cbe73efa03a188bb4a1ee97c2645408ec6ee4
-
SSDEEP
1536:9NhENNo2oa5pHwAVvu0IysOPv3YdI3EpCK+V5iR/yKoDn66XujshkGXE7rFKh:9gN5ogyJ0XgdsEIKlyKo26Jkj7rF
-
Modifies firewall policy service
-
Modifies security service
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be
-
Size
148KB
-
MD5
8fa1825810977b3f875a88de9d757453
-
SHA1
1d5d3b3cb8312ec72fba34f4d11ca52e212cc88d
-
SHA256
6db6ac1ce8f946e0b441c1a1be1b0f094cef331231ae4f9d58b30e3e353145be
-
SHA512
f2da58ab80b8f51ea218ea3f20d414b4532325bde9378c3626ee6b455a863412e6e96da424051f16a320b3ca2d811a4030210adfe5a63bbc19c4196c0327b24c
-
SSDEEP
3072:KA2hCdFXayYEf4B3UptTDYiYC5p5vWwYn9k:7MCbayFfaeCirpQn9
-
Pony family
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext
-
-
-
Target
72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146
-
Size
82KB
-
MD5
6268ccc19622e7148a988efc4597ff87
-
SHA1
f92a2464269e0a969465f169a2969d3e8b2014f1
-
SHA256
72745efc423d4adb76434360755cfbc3cfe8fa47ba8e5fa2920ada7dc9ceb146
-
SHA512
e9ed140e4bd7ba998639667388dfb39cd9843a960086208076d3c10603e1348c5cc95965e91866897e1c10e762a3eff48cc9e1950ce82be82888373d52985844
-
SSDEEP
1536:VxBqJVw6hRTDS2DO/RJJWVE3NPFcNmTQU95FmJx:Vqo6hFDSd0y3NPoW95FmJ
Score10/10-
Modifies WinLogon for persistence
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe
-
Size
256KB
-
MD5
1ef9ec76a43b0a208704cdca562e84cd
-
SHA1
d31082243a555a690d5576c9666648f89e673f63
-
SHA256
751fb51baa5a4ed44c9c2bb45b824831914025e87d4d866e5861a38f734d8bfe
-
SHA512
18d9cc4109d526f1588129e9fb6f8b8db4601d5e4c1231d9b58440d27f041044551d5da5afb2fefc9bd62be6a90506aa5b4bd29d788e448c7c0c9b3f7ed4b772
-
SSDEEP
3072:hJNgCPq8kZpStF3BifIYaX2blO3SbPoTBfnl7hAg0FuW92tpItc6mSbMPzKq:RtP7DR4dB1bPoTBPl7hAOwU16mn7
Score10/10-
Modifies WinLogon for persistence
-
-
-
Target
95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063
-
Size
843KB
-
MD5
c5dbc01ab92265d4bd1355857989cd09
-
SHA1
34ead67e09348de35da20bf9de3ec23a78986992
-
SHA256
95e95a5be0b57cee969c5d9f616be2e973bc08a77482c75570936faaaaa35063
-
SHA512
4b3406c89a5489690041b904bbdb749785df23ab791835964ac8d58930426f40bf4da33e9f37a18d107a927b1c78197c346633a18a6d82a602483f11c99c1cf5
-
SSDEEP
12288:qVg8A/OcAuVSEDcJEIAflJqCThplNe5UXrhXJSwgOR9wDqn9SpUtIF2bCpzk94gN:qwBVaOIA0C1H4EhXJS3oIqnDeZzW0Y
Score3/10 -
-
-
Target
a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607
-
Size
377KB
-
MD5
0108dd030ff9f1316c885b9df61d3409
-
SHA1
7a852edb9f3f80b3abf2813db7bb84eecb07e051
-
SHA256
a935725900d1ad19b92bcda1c0d612bccccd8bba53dd6e13cabe6d59d7874607
-
SHA512
860a6d464e5b903162d4cb355b8c997dfb2d51cfb015891cde2b5560264a654a4e7b8dd62fa3a3e72f7dd0f22098b554ef34b2621a8a8d78482bd33ec23dbd57
-
SSDEEP
6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lkh6TF91:qVg8A/OcAuVSEDcJEIAflFN
Score3/10 -
-
-
Target
c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774
-
Size
66KB
-
MD5
682e2024a229429202cb86dff22c7564
-
SHA1
adffba9e3b0f2f387b9b43793f274aa102df981f
-
SHA256
c19093138028ea6a6a6665e270c36558757931f1d7f6f88910b08e39903a1774
-
SHA512
289fdfd7d1e6ff58af8a07df117a93b86777e4a9b4e68c1406a43f85de7ea22be7511795a569b47d790289d8c8e7cc98f64e2f679819009d9293e5d03575ccd7
-
SSDEEP
1536:iuDxWf9xmOPtwwJcx1BFTor3TE6ReTL0n63huKwX:iusfmSUxC3tRQ0n62X
Score3/10 -
-
-
Target
dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19
-
Size
190KB
-
MD5
94b4c54d8b6df1621ac896c7d53ef41e
-
SHA1
d8a60f72e942db79d83945fdf7788f1b1259260e
-
SHA256
dafc6c03ef671f66ddbe47e6eee600d2dfa894eee1c1b67d51d3a24532f58e19
-
SHA512
7450f64bd9af8bfcdeb8f1264dd1dd62b4e22761578c9c64f9bb0fa7da3a982a7eba543ff903a56d941dc6c1a333bc2877cca99e8e12044cb913319a27a966cb
-
SSDEEP
3072:uKCF8UpK37WQUoBTBn+KQxvuj0XMPI3nFtf8eTFgU3AKOs8q0uyxzdAPLTOGR0/:NCF88KLWhoB9muAXMPneZgU3ALswukdH
Score1/10 -
-
-
Target
e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87
-
Size
34KB
-
MD5
946a8c16227ad3af210f9fc0dbee211d
-
SHA1
bb0a6b3ab7b57a23da69a909542874bade4dd2f2
-
SHA256
e3c6c48ba7d213e5c5c31f43d70dc4ca1709fc29e06883f64487ad049a520b87
-
SHA512
e64d929917e24597199399a8b3d40925d1fef89f2dd4a8cae6c312cb4fc028cb70fc53e46bf3aea1f36e1eaa5f79901e273ec7a8ff58c780426627a3960b8bd3
-
SSDEEP
768:l5OkRI7u8xe92wYsPJrL/rOAEbfbbz8Msjd29TBDP:l51RIq2e9lPJvKr0pjwZ
Score10/10-
Modifies WinLogon for persistence
-
-
-
Target
edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46
-
Size
30KB
-
MD5
429c70c311b1740241d83b79adde656b
-
SHA1
0e24796803f081ec6ab3a31e551f32b3754b29ce
-
SHA256
edbb453cc08e8ac79d0c60c0f1ca3803060e8c3a4dd2e2a7b40c50ec3fb0dd46
-
SHA512
0c1ac8034648cb895e3832915a797cba2d4d04c63b7b84b96a811109501f017ec61efc8ed37943d5d2f72baa1205e09ff189f670a3d4841abd58b0058bd38be5
-
SSDEEP
768:0woYMIgddEm5bh53EhSt3lScLJOtfq+X30fF:vdKAW/UUWtfq+X30N
-
-
-
Target
f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b
-
Size
160KB
-
MD5
f0949d80cff63963625fcdf1fbb77ca8
-
SHA1
9e640241e9b3c11af65665d6ebde18d762bf2d2a
-
SHA256
f633e6f25507a6d99ad2474ca4528ef4fdf8f124cade2daa51d310733a62114b
-
SHA512
bc97e3a430a7f7d09acb7dd1ca5cb9d100141371355fab7768155a9265c56777e06de67ffe7b8ad82b762f8306ae64534abc8ad7947b3f0c1e86d6487e5f1f51
-
SSDEEP
3072:usN4+W+ogJ4i9zgCTwTmYPtZNpVvQVZQUrUMyCZLFJd3:VDTJKzqOuVzAMyOp
Score7/10-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
-
-
Target
fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad
-
Size
349KB
-
MD5
08bc9bbddebf41c4efef41aca0d7e2da
-
SHA1
9920e552c1a68cc766643e2069ed0a3050c2cbdb
-
SHA256
fda537bc5e4051c8c69491089041df58483e31f410f180c5767901a53a67f9ad
-
SHA512
4e2c7a7e1a442cefdaf74be6ea66de7d997d54e9c91252711e35261d678be7e3629f119f42798bb22f2d1346eaa13de792c060cf79c8255c7f7175b27b693155
-
SSDEEP
6144:MRUYl1sSFgeDtNmYoRJ1hO9WAJw3FvT2mRjncS0EIhKEeh5lk/r:qVg8A/OcAuVSEDcJEIAfl6
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
3Indicator Removal
1Clear Persistence
1Modify Registry
12Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3